@vreid473:

Bonus:
1.  If this code also includes a check box to automatically create the firewall rules to enable or disable https access to the pfsense web gui from the WAN interface, then I'll add $100.00 USD to the fee that I pay.  Note, for this bonus to be paid, this additional function needs to actually work, not just be the gui front end for this item.

Unless Bill complains I am willing to create such a feature. A few questions about the bonus feature.

If you want to be able to remotely administer the box you are currently aware that you can do this with a firewall rule, no?

I was thinking something along the following lines.
1 "Allow remote administration checkbox on the webgui port and protocol, with a field next to it to specify either a IP or a alias which is allowed to connect".

OR

2 "Allow remote administration checkbox, force the webgui to https, user port selection from general settings, with a field next to it to specify either a IP or a alias which is allowed to connect".

I am aware that there are quite a number of users that require access to the webgui on port 80 because of artificial reasons they can not control. So I wanted to make it possible to allow remote administration over port 80 http.
Although I consider it good practice to switch to https.

Would the following suggestion work for you, only allow setting the remote administration checkbox when the protocol is https on whatever the webgui port is? This would leave the choice of external port free, you can always set this on the general setup page.

Kind regards,

Seth

you might want to take a look at a project called ASTLINUX … it combines the Asterisk PBX with a very modest router/firewall ...  the firewall is not nearly as sophisticated as pFsense and does not support anywhere near the feature set ... however, if your requirement is very modest, it may do what you want it to do ...

I have experimented with Arno Firewall script that is included in Astlinux and find it to be reasonably capable as long as you are willing to do your homework (it has to be manually configured) and experiment with it a bit ...

I think that in most production environments, it is desirable to split these functions ... in my own case, I have a main office site where I use pFsense as the firewall and TrixBox as the VoIP server ... then at a few SOHO branch offices, I use Astlinux to provide IP telephony and rudimentary firewall ... I have succeeded in using the OpenVPN in Astlinux to make a secure connection back to the main office using the OpenVPN in pFsense ... and the TrixBox setup at the main office is able to transfer calls between the SOHO branch offices ....

so there is place for combined pbx/firewall ... but there is also a good argument for keeping the functions separate ...  its nice to have choices as one size rarely fits all ...

Thanks, why didn't I see this in the first place  ::)
Shame on me.
All looks good now.

Sorry, haven't been on in a while.  Yup, that's precisely it Scott.  It requires java on the client side, (at the web browser, not on the pfsense box).

The only downside to straight weirdx is that the x11 session is not encrypted, but if if we're talking about connections behind the firewall, that may not be an issue.  There is an implementation of WeirdX called "WeirdMind" which is a meld of WeirdX and MindTerm, so it's X11 over SSH.  That solution would be ideal, but to be truthful I had issues getting WeirdMind to work here.  Don't know if any other attempts at X11 over SSH in a similar manner have been attempted or not.

(Actually, reading the site, apparently it's been added using Jsch.)

USAGE AS AN APPLET ================== Copy "misc/weirdx.jar" and "misc/weirdx.html" to some directory, which is accessible through a http server, then open weirdx.html with a web browser via a http server. If everything goes well, WeirdX will start in your web browser. In default setting, WeirdX use display-name '<your hostname="">:2.0' . If you have Java Plug-in, try 'weirdx-JRE12.html'. In some situations, JVM may throw the Security Exception. WeirdX must gain access to TCP port(6002) and JVM may reject to do so.</your>

and

SSH2 X11 Forwarding in Java =========================== WeirdX allows you to get secure X accesses via SSH2 X11 forwarding in pure Java.  This functionality is based on JSch, which is a pure Java implementation of SSH2 and developed by JCraft under revised BSD license. It is available at http://www.jcraft.com/jsch/ . To enjoy this functionality, try following steps, 1\. Download JSch from http://www.jcraft.com/jsch/ .   You can get the source code of JSch and also jar file from there. 2\. Specify property 'weirdx.sshrexec' as 'yes'. 3\. Run WeirdX  For example, if you have two jar files, jsch-0.1.14.jar   and weirdx-1.0.32.jar,   java -Dweirdx.sshrexec=yes \         -cp jsch-0.1.14.jar\;weirdx-1.0.32.jar \         com.jcraft.weirdx.WeirdX 4\. A dialog window for rexec on ssh will be appeared. Please note that your JVM must be J2SE v1.4 or higher to enable this functionality. And also the souce code for this functionaly is named as 'com/jcraft/weirdx/SSHRexec.jav', so you have to rename it as 'com/jcraft/weirdx/SSHRexec.java' to compile it.

@sullrich:

I suggest getting 100% up front.  The BandwidthD bounty is starting to be a model of why we want 100% up front.

First of all he should do the spec anyway. I am not willing to work on a bounty without knowing the exact requirements.

Regards
Daniel S. Haischt

I just tested the setup with a pfsense unit on 192.168.10.x and two remotes at 192.168.12.x and while the tunnels establish, the route only works on the first tunnel that connects.

Thanks,
Ken

Yes, provide me some information on subnets and IPs and we can arrange a time for a remote session if it's doable. That's why I first need details on networks and so on.

Thanks again for all the squid work.  Hope nobody minds if databeestje gets the $125 remaining on my bounty.  I'm really looking forward to the last few kinks getting worked out soon.

Maybe some of the other Squid users out there could pitch in a bit too, data deserves it!

OK, I am offering a $100 dollars bounty for every of my 4 wishes.

@trendchiller:

losing WPA is a bad thing…  :-
please don't do so...

I doubt anyone is gonna jump on this bounty anyway.  The amount of work involved would require someone who was motivated by much more than the bounty.

–Bill

Hello,

these documents/links should get you going with configuring a custom kernel for FreeBSD:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html

Beside a custom kernel, you need to additionally choose a specific Linux base system, that you have to install into /opt (IIRC FreeBSD takes care of that step). Please have a look at http://www.freebsd.org/cgi/ports.cgi?query=%5Elinux_base-&stype=name&sektion=emulators to figure out which Linux based systems are available at the time.

How to configure the Linux binary compatibility layer is described here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/linuxemu.html.

Beside that I really have some issues to understand why someone is going to run Linux emulation or even applications similar to seti@home on a FreeBSD based firewal or router OS.

Regards
Daniel S. Haischt

I am working on getting others to help out with the bounty :)!  I have a client and if I can market this to them and get the go ahead I will put all the money towards this bounty ($2000 or so).

Are you willing to (temporarily) provide the card or cards for R&D to complete this?

PS. I added a page to the wiki, last link on the main page. Please take a look.

Locking topic.  Please see http://forum.pfsense.org/index.php/topic,2718.0.html for the new thread on this.  Thanks

–Bill

It appears that we're interested in some of the same features, mastermindpro.
I'll pitch in another $300+ on this bounty if they can also implement individual bandwidth limits, etc as specified in this bounty inquiry…
http://forum.pfsense.org/index.php/topic,1802.0.html

i guess i could close this now i have managed to get quagga running a few months ago and it serves my purpose does anyone have any get extensions to this that would allow them to collect this bounty if not i will close the offer

Oh, I see.  I'll go check their lists/boards and perhaps post there.  Thanks.